Valid Configurations

User impersonation only happens when both the Controller and Node are set to "UseImpersonation", and the authorization schemes allow for the passing of credentails through to the handler. The table below tells whether a handler will execute under the caller's credentails assuming both the Controller and Node allow impersonation. Cells marked with "N/A" are not valid configurations for Synapse authentication between the Controller and Node, regardless of impersonation settings.

Controller | Node >>> vvv

Anonymous

Basic

Integrated

Ntlm

Negotiate

Anonymous

No

N/A

No

No

No

Basic

No

Yes

N/A

N/A

N/A

Integrated

No

N/A

Yes

Yes

Yes

Ntlm

No

N/A

Yes

Yes

Yes

Negotiate

No

N/A

Yes

Yes

Yes

Common Configurations

For each scenario below, assume the following setup:

User : The user "SANDBOX\guy" will be calling Synapse Controller to start execution of a plan.

Controller : The Controller service is running under the credentails "SANDBOX\synapse-controller"

Node : The Node service is running under the credentails "SANDBOX\synapse-node"

Also, each scenario below assumes impersonation is set to true in both the Controller and Node config files. To see how each scenario below would differ with user impersonation disabled, click here.

Simple Windows Authentication

The Controller and Node both accept a single authentcation type of IntegratedWindowsAuthentication, Ntlm or Negotiate and are both set to use client impersonation.

Client passes user's (SANDBOX\guy) credentials to Controller.

Controller passes plan to Node using the client's credentails (SANDBOX\guy).

Authentication on Controller Only

This is where the controller has Windows Authentication set (Ntlm, Negotiate, or IntegratedWindowsAuthentication) but the node is running with no authentication. The key thing to remember here is that if you don't have "SignPlan" set to true in the Controller, and "ValidatePlanSignature" set to true in the node, users could bypass the Controller and execute plans directly if they knew the URL, without any authentication. Since user credentials never make it past the Controller, the effect of this pattern is the same whether or not impersonation is enabled.

Client passes user's (SANDBOX\guy) credentials to Controller.

Controller passes plan to Node with no credentials.

Node executes handlers using the Node service RunAs credentials. (SANDBOX\synapse-node).

Node sends status updates to Controller using the Node service RunAs credentials (SANDBOX\synapse-node).

Multi-Authentication on Controller, Windows Authentication on Node

This allows both Basic and Windows Authentication (Ntlm, Negotiate, or IntegratedWindowsAuthentication) to the Controller, but enforces Windows Authentication on the Node. This setup is used to support applications that don't support sending Windows credentails in their web calls. Warning : Basic authentication is not secure on its own. The username and password are simply Base64 encoded in the Request header. This should only be used over a secure connection.